Accounting Information System Gelinas Gelinas 10th

Edition Solutions Manual

To download the complete and accurate content document, go to:

https://testbankbell.com/download/accounting-information-system-gelinas-gelinas-10t
h-edition-solutions-manual/
Accounting Information System Gelinas Gelinas 10th Edition Solutions Manual

Accounting Information Systems, 10e 1

SOLUTIONS FOR CHAPTER 7

Each end-of-chapter question in the Solutions Manual is tagged to correspond with AACSB, AICPA
and CISA standards, allowing professors to more easily manage the task of reporting outcomes to these
professional and accrediting bodies. Please see the corresponding spreadsheet file for the tagging
information.

Discussion Questions
DQ 7-1 Recently, the U.S. federal government and the American Institute of Certified
Public Accountants (AICPA) have taken aggressive steps aimed at ensuring the
quality of organizational governance. What are these changes, how might they
change organizational governance procedures, and do you believe that these
actions will really improve internal control of business organizations?
ANS. First, the U.S. Congress passed the Sarbanes-Oxley Act of 2002 (SOX). This
groundbreaking legislation is intended to set the foundation for improved
organizational governance. Most notably, SOX disallows auditors of public
companies from performing most consulting services with their audit clients;
establishes a Public Company Accounting Oversight Board (PCAOB) to watch
over the auditing profession; requires CEOs and CFOs to sign quarterly and
annual financial statements submitted to the SEC (by signing, the CEOs and
CFOs are certifying that the financial statements are correct in all material
respects); and requires CEOs, CFOs, and independent auditors to sign an internal
control report that details the presence and effectiveness of the company’s internal
controls.
The AICPA has developed a special portal on its Web site devoted to SOX
implementation activities, enhanced its ethics enforcement process, and voiced its
strong intention to further strengthen the independence of public auditors and the
integrity of all CPAs.
Will these steps improve internal control of business organizations? [Let the
students express and support their opinions. This should generate insightful
discussions.]
DQ 7-2 “Enterprise Risk Management is a process for organizational governance.”
Discuss why this might be correct and why it might not.
ANS. Let’s look at the elements of the definitions of these two concepts side-by-side:

Organizational Governance Enterprise Risk Management Comment

A process. A process. Both are clear that governance is

Visit TestBankBell.com to get complete for all chapters

2 Solutions for Chapter 7

Organizational Governance Enterprise Risk Management Comment

an ongoing endeavor.

Effected by an entity’s board of directors, ERM explicitly places the

management, and other personnel. responsibility for governance at
the top of the organization.

Organizations select objectives. Applied in strategy setting and across the Both assert that strategy and
enterprise. objectives must be chosen first
and be the basis for governance.

Establish processes to achieve
objectives.
Monitor performance.
Identify potential events that may affect
the entity.
Manage risk to be within its risk appetite.
Provide reasonable assurance regarding
achievement of entity objectives.
ERM describes a process for
establishing what processes (and
controls) must be put in place,
considering risk, to provide a
reasonable assurance of achieving
objectives. Although not part of
the definition, monitoring is one
of ERM’s eight elements.

Categories of management objectives: These ERM categories provide a

strategic, operations, reporting, useful template for selecting
compliance. objectives.

DQ 7-3 “If it weren’t for the potential of computer crime, the emphasis on controlling
computer systems would decline significantly in importance.” Do you agree?
Discuss fully.
ANS. Without computer crime, and the attendant, fascinating stories, public awareness
of the importance of controlling computer systems might decline. However, while
the dollar loss from each incident of computer crime is high, the total of the losses
from unintentional errors is higher than the total of the losses from computer
crimes. Also, as described in this chapter, control systems help an organization
achieve organizational goals and objectives, only one of which is to reduce the
incidence of computer crime.
DQ 7-4 Provide five examples of potential conflict between the control goals of ensuring
effectiveness of operations and of ensuring efficient employment of resources.
ANS. 1. By striving to answer many customer telephone calls, a customer service
representative rushes each call. These hurried phone calls reduce the level of
customer service.
2. To reduce the investment in inventory, stock levels are kept low. These levels
are inadequate and a high number of back orders results.
3. Although the batch printing of shipping documents is an efficient use of
computer resources, shipments are delayed.
 Accounting Information Systems, 10e 3

4. Ensuring effectiveness of operations may require that we hire an additional

employee and purchase an additional computer to respond to customer
inquiries. This may not be an efficient use of resources.
5. To adequately segregate duties and ensure effectiveness of operations, we may
hire an additional employee. However, this may lead to an inefficient use of
personnel resources.

DQ 7-5 Discuss how the efficiency and effectiveness of a mass-transit system in a large
city can be measured.
ANS. The main purpose of this question is to reinforce the ideas that (1) effectiveness
must be judged in light of objectives and (2) efficiency is the relationship of
inputs to outputs.
A mass-transit system may be established with many purposes. For example:

• To reduce traffic on the highways just enough to preclude highway expansion

• To provide affordable transportation to all residents
• To encourage inner-city travel and tourism
• To assist in the economic development of certain areas

Effectiveness is judged in light of the objectives of the system. For example, does
mass transit reduce traffic on the highways?
The efficiency of the mass transit system could be measured in terms of cost per
passenger mile.
DQ 7-6 “If input data are entered into the system completely and accurately, then the
information system control goals of ensuring update completeness and of ensuring
update accuracy will be automatically achieved.” Do you agree? Discuss fully.
ANS. No, we do not agree. The text distinguishes input and update because these steps
are often separate and because successful update does not necessarily follow from
successful input. The computer system could fail to completely or accurately
update the master data.
DQ 7-7 “Section 404 of SOX has not been a good idea. It has been too costly and it has
not had its intended effect.” Do you agree? Discuss fully.
4 Solutions for Chapter 7

ANS. As reported in the chapter, reviews of the results of SOX Section 404 are mixed.
Certainly, its implementations have been quite costly. Also, some foreign firms
are delisting their stocks from U.S. exchanges or are halting efforts to list on the
exchanges to avoid SOX requirements. Some firms are going private or not
becoming public to avoid the requirements of SOX, especially Section 404. On
the other hand, some control systems have been improved, and firms are
improving their business processes as a result of their SOX 404 efforts. Bottom
line, it is a matter of opinion as to whether SOX Section 404 has been worth the
effort. AS5, which requires a top-down, risk-based approach to the integrated
audit, is expected to further reduce the time and cost of complying with SOX
Section 404.
DQ 7-8 How does this text’s definition of internal control differ from COSO? How does it
differ from the controls that are subject to review under Section 404 of SOX?
ANS. The text’s definition of internal control is aimed at all reporting, not just financial
reporting. Both COSO and SOX 404 are interested only in controls over the
information systems and output reporting that are related to financial reporting.
The text’s definition of internal control, like COSO, includes efficiency and
effectiveness of operations, whereas the PCAOB has explicitly stated that the
controls that are to be reviewed pursuant to SOX Section 404 are only those that
affect financial transactions and financial reporting. COSO and this textbook, on
the other hand, are interested in the overall system of internal control and all
organizational processes. As such, these definitions apply to all processes, all
controls, and to all types of audits of these processes and controls, including
financial statement audits; internal audits for efficiency, effectiveness, and
compliance; and IT audits for overall efficiency, effectiveness, and security of IT
resources and operations.
DQ 7-9 What, if anything, is wrong with the following control hierarchy? Discuss fully.
Highest level of control Pervasive control plans

The control environment

Application controls

Business process control plans

Lowest level of control IT general controls

ANS. The correct order from highest to lowest level of control is (see also Figure 7.6)
the following:
The control environment

Pervasive control plans

 Accounting Information Systems, 10e 5

IT general controls (major subset of pervasive controls)

Business process control plans

Application controls (major subset of business process controls)

Short Problems
SP 7-1 ANS. The answer should note the differences in the following two internal control
cubes: that of SAS 78 followed by that of the ERM. Note that the latter basically
builds on the former.
6 Solutions for Chapter 7
 Accounting Information Systems, 10e 7

SP 7-2 ANS.
B 1.
E 2.
A(F) 3.
H 4.
D 5.
8 Solutions for Chapter 7

SP 7-3 ANS.
H(B) 1.
C 2.
A(F,C) 3.
B 4.
E 5.

SP 7-4 ANS. Answers will vary among students.

Problems
P 7-1 ANS.
E 1.
H 2.
B (and I) 3.
L 4.
G 5.
K 6.
D 7.
A (and I) 8.
C 9.
F 10.
 Accounting Information Systems, 10e 9

P 7-2 ANS. The major implication is that management can be held legally accountable for the
organization’s control system. Under the Foreign Corrupt Practices Act (FCPA),
for example, an officer of an organization must ensure that the organization
maintains adequate accounting records. Recently, Section 404 of the Sarbanes-
Oxley Act of 2002 has reinforced this management responsibility by requiring
that organizations develop a system of internal control, report on that system in
their annual report, and have their independent auditors assess the effectiveness of
that system. So, as this chapter points out, an organization must develop and
maintain a system of controls to ensure the effectiveness of the accounting
information system that will maintain the accounting records. Should
management not fulfill this obligation, they can be fined and imprisoned.
Management discharges this responsibility by doing the following:

• Constructing an internal control system, including an internal audit

department.
• Establishing a control environment incorporating audit committees,
nonconflict of interest affidavits, control policies, and reward systems that
support, rather than undermine, the control policies.
• Being actively and continuously involved in the design, operation, review, and
modification of the organization’s systems and related control systems. This
may involve participation in—or at least approval of—the systems
development process.

In addition to the legal responsibility for control, increasing pressure is being

applied to the board of directors and management by the public, stockholders, and
the other stakeholders of organizations. These stakeholders want to be confident
that the organization is well managed and that its assets are protected. Several
control frameworks have been issued that provide guidance to boards and
management. In addition to COSO, introduced in this chapter, and COBIT,
introduced in Chapter 8, the following frameworks have been published:

• From Canada, the Canadian Institute of Chartered Accountants Guidance on

Assessing Control
• From the United Kingdom, the Turnbull Report: Revised guidance for
Directors on the Combined Code
• From South Africa, The King II Report on Corporate Governance for South
Africa, 2007
10 Solutions for Chapter 7

P 7-3 ANS.
Situation Control Goal Explanation
1. E and A Checking to make sure that shipping notices are received for all
sales orders issued addresses the goal of ensuring that event data
inputs (i.e., shipping notices representing actual sales) are
completely recorded.

Answer A is appropriate here if we assume- that timely

shipments to customers are a measure of a system’s
effectiveness.

2. F and D Double checking unit prices helps to ensure that the prices
actually billed are accurate.

Answer D is appropriate if we explain that checking prices

against an authorized price list helps to ensure that the event
was an authorized one (input validity).

3. G and H If the dollar change to AR does not equal the dollars of

payments, then the updates were either incomplete, inaccurate,
or both. For example, let’s say that payments in the cash receipts
event data equal $600, and the starting balance in AR, before the
update run, was $4,500. Then the ending balance in AR, after
the update run, must equal $3,900. If not, something went wrong
during the run. Some payments were not posted (UC), or some
were posted incorrectly (UA).

4. D The fact that the shipments were bogus means that they did not
represent real, actual events and were therefore, by definition,
invalid event data.

5. E A vendor is unlikely to send two different invoices with the

same number. Thus, the second instance of invoice #12345 is
probably a duplicate of the first. The second invoice should be
rejected to ensure that the invoice is processed once and only
once (input completeness).

6. F Under the definitions given in the chapter, data elements missing

from an input document are instances of lack of input accuracy
as opposed to input completeness, which relates to recording all
events that occurred.

7. A and B Speeding up the cash deposits has to do with achieving

timeliness in cash receipts processing, an operations process by
which we judge system effectiveness.

Answer B is appropriate if we explain that it is more efficient to

have the computer prepare documents than it is to prepare them
manually.

8. C The restrictive endorsement prevents the checks from being

misappropriated, thereby helping to ensure security over the
cash asset.
 Accounting Information Systems, 10e 11

P 7-4 ANS. Description Answer

1. J
2. C
3. F
4. H
5. D
6. B
7. G
8. I
P 7-5 ANS.
Part A: Current Scenario:

Dollar loss (sales) per hour of downtime $10,000

Internal downtime incidents per year 50
External downtime incidents per year 50
Total downtime incidents per year 100

Expected Gross Risk $1,000,000

Preventative Measures
Annualized cost of redundant technology $150,000
Annualized cost of ISP 100,000
Total annualized cost of preventive measures 250,000

Residual Expected Risk $1,250,000

Part B: Additional Redundant Technology

Dollar loss (sales) per hour of downtime $10,000
Internal downtime incidents per year 15
External downtime incidents per year 50
Total downtime incidents per year 65

Expected Gross Risk $650,000

Preventive Measures
Annualized cost of redundant technology $250,000
Annualized cost of ISP 100,000
Total annualized cost of preventive measures 350,000

Residual Expected Risk $1,000,000

12 Solutions for Chapter 7

Part C: Additional Redundant Technology and Additional ISP Support

The answer to Part C of problem 7-6 depends on the organization’s level of risk
tolerance.

If the company remains with the current ISP contract of no more than 50 downtime $1,000,000
incidents, the residual expected risk is (see Part B above).

If the company moves to a higher support level of no more than 40 downtime incidents, 950,000
the residual expected risk is (see Part C.1 below).

If the company moves to a higher support level of no more than 30 downtime incidents, 900,000
the expected residual risk is (see Part C.2 below).

If the company moves to a higher support level of no more than 20 downtime incidents, 900,000
the residual expected risk is (see Part C.3 below).

If the company moves to a higher support level of no more than 10 downtime incidents, 925,000
the residual expected risk is (see Part C.4 below).

If the company moves to a higher support level of no more than 0 downtime incidents, 950,000
the residual expected risk is (see Part C.5 below).

Guarantees of either 20 or 30 maximum downtime incidents per year each yield an expected residual risk of
$900,000.00. Thus, management would be prudent to pay for a guarantee of only 20 rather than 30 incidents
because the former would also result in less customer dissatisfaction if and when downtime incidents occur.

Part C.1: Additional Redundant Technology and Additional ISP Support for 40 Downtime Incidents
Dollar loss (sales) per hour of downtime $10,000
Internal downtime incidents per year 15
External downtime incidents per year 40
Total downtime incidents per year 55

Expected Gross Risk $550,000

Preventive Measures
Annualized cost of redundant technology $250,000
Annualized cost of ISP 150,000
Total annualized cost of preventive measures 400,000

Residual Expected Risk $950,000

 Accounting Information Systems, 10e 13

Part C.2: Additional Redundant Technology and Additional ISP Support for 30 Downtime Incidents
Dollar loss (sales) per hour of downtime $10,000
Internal downtime incidents per year 15
External downtime incidents per year 30
Total downtime incidents per year 45

Expected Gross Risk $450,000

Preventive Measures
Annualized cost of redundant technology $250,000
Annualized cost of ISP 200,000
Total annualized cost of preventive measures 450,000

Residual Expected Risk $900,000

Part C.3: Additional Redundant Technology and Additional ISP Support for 20 Downtime Incidents
Dollar loss (sales) per hour of downtime $10,000
Internal downtime incidents per year 15
External downtime incidents per year 20
Total downtime incidents per year 35

Expected Gross Risk $350,000

Preventive Measures
Annualized cost of redundant technology $250,000
Annualized cost of ISP 300,000
Total annualized cost of preventive measures 550,000

Residual Expected Risk $900,000

Part C.4: Additional Redundant Technology and Additional ISP Support for 10 Downtime Incidents
Dollar loss (sales) per hour of downtime $10,000
Internal downtime incidents per year 15
External downtime incidents per year 10
Total downtime incidents per year 25

Expected Gross Risk $250,000

Preventive Measures
Annualized cost of redundant technology $250,000
Annualized cost of ISP 425,000
Total annualized cost of preventive measures 675,000

Residual Expected Risk $925,000

14 Solutions for Chapter 7

Part C.5: Additional Redundant Technology and Additional ISP Support for 0 Downtime Incidents
Dollar loss (sales) per hour of downtime $10,000
Internal downtime incidents per year 15
External downtime incidents per year 0
Total downtime incidents per year 15

Expected Gross Risk $150,000

Preventive Measures
Annualized cost of redundant technology $250,000
Annualized cost of ISP 550,000
Total annualized cost of preventive measures 800,000

Residual Expected Risk $950,000

P 7-6 ANS. We might compare the elements of these two control matrices as follows:
Figure 7.7 (the textbook) Figure 7.8 (PwC) Comment
Control goals of the Lenox cash receipts Subprocess. Both name the process.
business process.

Control goals of the operations process. NA PwC matrix relates to controls over
financial reporting and operations are
beyond the scope of the PwC matrix.

Ensure effectiveness of operations (and NA Operations are beyond the scope of

effectiveness goals). the PwC matrix.

Ensure efficient employment of NA Operations are beyond the scope of

resources. the PwC matrix.

Ensure security of resources. Information processing PwC’s objective is to restrict access

objective (restricted access). to information resources. Figure
7.7’s objective also includes other
assets.

Control goals of the information Control objective. PwC states an overall objective for
process. each process. In Figure 7.7, this is a
heading for more specific control
goals.

Input validity. Information processing Same.

objective (validity).

Input completeness/update Information processing Same, but PwC does not address
completeness. objective (completeness). updates.

Input accuracy/update accuracy. Information processing Same, but PwC does not address
objective (accuracy). updates.

Recommended control plans. Description and frequency of Figure 7.7 does not address
control activity. frequency of the control activity.
Accounting Information System Gelinas Gelinas 10th Edition Solutions Manual

Accounting Information Systems, 10e 15

Figure 7.7 (the textbook) Figure 7.8 (PwC) Comment

NA Financial statement area. PwC matrix is for controls over
financial reporting and states the area
of interest.

NA Assertions. These are the financial statement

assertions that guide testing in a
financial statement audit. Testing of
controls is beyond the scope of the
AIS text.

NA P or D. Figure 7.7 does not specifically

classify controls as preventive,
detective, or corrective.

NA A or M. Figure 7.7 does not classify controls

as automated or manual.

The overall assessment is that the matrices are quite similar. In fact, the control
matrix for this textbook was adapted from earlier versions of a PwC matrix (one
that was developed by Coopers & Lybrand, one of the firms that became part of
PwC). The PwC matrix, focused as it is on the financial statement audit, has
information that is related to that endeavor. The matrix from this textbook is more
expansive in that it looks at controls over efficiency and effectiveness of
operations and controls related to financial reporting.

Visit TestBankBell.com to get complete for all chapters